-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Clarify how “Log-in credentials, save in session” still permits External Storage access with tokens #33943
Comments
This comment was marked as resolved.
This comment was marked as resolved.
Problem/behavior is still the same on 25.0.3 Windows- and iPhone-Client are connected with device password, they don't know my LDAP-login credentials. Still I can access the SMB-shares with mit iPhone- and my WIndows-Nextcloud-client. I still don't know why this is possible, documentation says: |
Today I synced this external share with nextclouds official client on macOS. The sync client is connected with device password, it does not know the LDAP credentials. I still wonder why this is possible and if user credentials are somewhere stored on the nextcloud server even if I use “Log-in credentials, save in session” for mounting external storage. I really don't want that my nextcloud server knows the LDAP credentials of all my users. |
Is there any update to this? The Log-in credentials, save in session mechanism uses the Nextcloud login credentials of the user to connect to the storage. These are not stored anywhere on the server, but rather in the user session, giving increased security. This method has some important drawbacks, since Nextcloud has no access to the storage credentials and therefore cannot perform any background tasks on the storage: |
Related: #43260 |
Also interested in this. I would also like to ask if anyone is able to advise.
Or am I best to use manually added, stored database option for this? |
Bug description
My Nextcloud:
Version 24.0.4
User auth over LDAP/MS-AD
Access over NGINX reverse proxy (User-->NGINX: https/letsencrypt, NGINX-->Nextcloud: http)
I added a SMB-share to my nextcloud and used the option “Log-in credentials, save in session” for credentials.
The documentation says:
"The Log-in credentials, save in session mechanism uses the Nextcloud login credentials of the user to connect to the storage. These are not stored anywhere on the server, but rather in the user session, giving increased security."
and
"Desktop and mobile clients that use tokens to authenticate can not access those shares"
This is exactly what I want, I don't want to store credentials of users permanently on my server.
But I noticed, as soon as I added the external storage, my Nextcloud Windows client started to sync the whole smb-share. I also have access to my smb-share over my Nextcloud-iOS-App. Both apps, Windows and iOS, use token authentification as far as I can tell. How is it possible that my apps can access my smb share?
Where are the credentials stored (I guess they must be stored somewhere, because otherwise the apps would have no access?)
Here someone else experienced the same problem, but no one could help
https://help.nextcloud.com/t/external-storage-credentials-save-in-session-and-desktop-sync-how-does-this-work/92602/2
Steps to reproduce
2a. connect iOS app with token/QR-code
2b. access SMB share over iOS app
3a. alternatively, connect Windows desktop app with token
3b. access SMB share over windows app
Expected behavior
Expected behavior as described in official documentation:
"Desktop and mobile clients that use tokens to authenticate can not access those shares"
Installation method
Community Manual installation with Archive
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered: